tinybox.sh logo
Back to Home Log in

Terms of Service & Privacy Policy

TinyBox VPS Hosting Services

Version: 2.0 Effective: July 13, 2025 Last Updated: July 13, 2025

TERMS OF SERVICE AND PRIVACY POLICY


TINYBOX VPS HOSTING SERVICES





Document Version: 2.0
Effective Date: July 13, 2025
Last Updated: July 13, 2025
Legal Compliance: EU GDPR, US DMCA/CCPA, UK Data Protection Act 2018, DSA



PART I: GENERAL INFORMATION



§ 1. Company Information and Contact Details



1.1. Service Provider Identity:
- Company Name: Mateusz Chrobok PWND
- Legal Form: Individual entrepreneur (jednoosobowa działalność gospodarcza)
- VAT ID: PL 9542501714
- Business Address: Staromiejska 6/10D, Poland
- Email: [email protected]
- Service Name: tinybox VPS Hosting

1.2. Regulatory Compliance:
- EU E-Commerce Registration: Compliant with E-Commerce Directive 2000/31/EC
- Data Controller: Mateusz Chrobok PWND (GDPR Article 4(7))
- DMCA Designated Agent: [email protected] (per 17 USC §512(c)(2))
- DSA Point of Contact: Available via company email address

1.3. Professional Indemnity: Service provider maintains appropriate business insurance as required by applicable law.

§ 2. Definitions and Terminology



2.1. Core Service Definitions:
- "Service" means the tinybox VPS hosting platform and all related services
- "VPS" means Virtual Private Server - isolated virtualized computing environment
- "Client" means any individual or entity purchasing or using our services
- "Consumer" means individual acting for purposes outside trade/business/profession
- "Business Client" means entity or individual acting for commercial purposes

2.2. Legal and Technical Terms:
- "Personal Data" has meaning under GDPR Article 4(1) and equivalent laws
- "Processing" has meaning under GDPR Article 4(2) and equivalent laws
- "Controller" and "Processor" as defined in GDPR Article 4(7-8)
- "Cookies" means small data files stored on user devices
- "Content" means any data, files, or materials stored on VPS servers

2.3. Contract and Billing Terms:
- "Subscription Period" means agreed service duration (typically 12 months)
- "Setup Fee" means one-time activation charge if applicable
- "Recurring Fees" means periodic payments for continued service
- "Cooling-off Period" means 14-day withdrawal right for consumers

§ 3. Scope and Nature of Services



3.1. Service Description:
a) Provision of virtual private server infrastructure

b) Basic technical support and maintenance

c) Network connectivity and data center facilities

d) Control panel access for server management

3.2. Service Levels:
- Standard VPS: Shared hardware resources with guaranteed minimums
- Educational Use: Optimized for learning programming and system administration
- Commercial Use: Permitted for business purposes subject to acceptable use policies

3.3. Geographic Scope:
- Services available globally subject to export control laws
- Data processing primarily within EU/EEA
- Compliance with local laws remains client responsibility

3.4. Service Limitations:
- No guaranteed uptime SLA (Service Level Agreement)
- Resource limits as specified in service plans
- Subject to acceptable use policies defined herein

§ 4. Acceptance of Terms



4.1. Binding Agreement Formation:

a) These terms form legally binding contract upon order placement

b) Client warrants legal capacity to enter agreements

c) Business clients warrant authority to bind their organization

4.2. Order of Precedence:
1. Individual service agreement (if applicable)
2. These Terms of Service
3. Privacy Policy (integrated herein)
4. Acceptable Use Policy

4.3. Consumer Rights Acknowledgment:
- EU/UK consumers retain statutory rights that cannot be excluded
- US consumers retain rights under applicable state and federal laws
- These terms do not limit mandatory consumer protections

4.4. Amendment Procedures:
- Changes require 30 days advance notice to active clients
- Material changes may trigger new cooling-off period for consumers
- Continued use after notice period constitutes acceptance

PART II: CONTRACT FORMATION AND CONSUMER RIGHTS



§ 5. Pre-contractual Information


(EU Consumer Rights Directive Art. 6, UK Consumer Contracts Regulations 2013)

5.1. Mandatory Information for Consumers:
a) Service Description: VPS hosting with specified RAM, storage, bandwidth

b) Total Price: Including all taxes, fees, and recurring charges

c) Payment Terms: Billing cycle, accepted payment methods, currency

d) Contract Duration: Minimum term and auto-renewal conditions

e) Geographic Restrictions: Export control and sanctions compliance

f) Technical Requirements: Client software and skills needed

5.2. Additional Consumer Disclosures:
- Right of Withdrawal: 14-day cooling-off period (see § 7)
- Performance Timeline: Service activation within reasonable time
- Digital Content Notice: Content begins immediately upon account activation
- Support Availability: Technical support via [email protected] during business hours
- Complaint Procedures: Administrative matters via [email protected]

5.3. Business Client Information:
- Commercial terms available upon request
- Custom service level agreements negotiable
- Volume discounts may apply for multiple services

§ 6. Order Process and Payment



6.1. Order Placement:
a) Orders accepted only through official website

b) Client must provide accurate contact and billing information

c) Age verification: Clients must be 18+ or have parental consent

d) Business clients must provide valid VAT number if applicable

6.2. Payment Processing:
Primary Payment Processors:

a) TPAY (Krajowy Integrator Płatności S.A.):
- Address: ul. Św. Marcin 73/6, 61-808 Poznań, Poland
- Registration: NIP: 7773061579, REGON: 300878437, KRS: 0000412357
- Coverage: Poland, EU markets
- Methods: Bank transfers, BLIK, payment cards, digital wallets

b) Stripe Payments Europe, Ltd.:
- Address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland
- Registration: Company No. 513174, VAT ID: IE9825613N
- Coverage: Global markets, primary for international clients
- Methods: Credit/debit cards, digital wallets, bank debits

c) PayPo (PayPo Sp. z o.o.):
- Address: ul. Kanclerska 15, 60-327 Poznań, Poland
- Registration: NIP: 9721088842, REGON: 302948627, KRS: 0000486447
- Coverage: Poland (buy now, pay later service)
- Methods: Deferred payment, installments for Polish consumers

Payment Terms:
- Accepted Methods: Credit/debit cards, bank transfers, digital wallets, BNPL
- Currency: EUR (primary), USD, PLN, GBP accepted
- Billing Cycle: Annual subscription (12 months) standard
- Payment Security: PCI DSS compliant processing for all card transactions

6.3. Order Confirmation and Contract Formation:
- Automated confirmation email sent upon payment authorization
- Contract formed when payment successfully processed
- Service credentials provided via secure email delivery
- Invoice available upon request to [email protected]

6.4. Pricing and Promotions:
- Promotional codes valid only during specified periods
- Price changes apply to new orders and renewals (30 days notice)
- Early termination may forfeit promotional pricing

§ 7. Consumer Right of Withdrawal (14-day cooling-off)


(EU Consumer Rights Directive Art. 9-16, UK Consumer Contracts Regulations)

7.1. Withdrawal Right Scope:
- Eligible Consumers: Individuals purchasing for personal use
- Withdrawal Period: 14 calendar days from contract conclusion
- Business Clients: Not eligible for withdrawal right
- Exceptions: Service fully performed with express consumer consent

7.2. Withdrawal Procedure:
a) Submit withdrawal notice to [email protected]

b) Use withdrawal form (available on website) or clear statement

c) Include order number and reason for withdrawal

d) No penalty fees for legitimate withdrawal

7.3. Withdrawal Consequences:
- Full Refund: Within 14 days of withdrawal notice
- Refund Method: Original payment method used
- Service Termination: Immediate upon withdrawal notice
- Data Deletion: All content permanently removed

7.4. Early Performance Consent:
- Consumer may request immediate service activation
- Express consent acknowledges withdrawal right limitation
- Proportional payment due if withdrawal after service commencement

§ 8. Service Delivery and Performance



8.1. Service Activation:
- Timeline: Within reasonable time of payment confirmation
- Credentials: Delivered via email to registered address
- Access Method: SSH keys and control panel login provided
- Initial Configuration: Basic OS installation included

8.2. Performance Standards:
- Resource Allocation: As specified in selected service plan
- Network Connectivity: Best effort, no guaranteed uptime
- Data Center: EU-based facilities with appropriate security measures
- Backup Services: Client responsibility unless separately contracted

8.3. Service Modifications:
- Migration: Between data centers subject to technical feasibility
- Temporary Adjustments: May occur for maintenance or security

8.4. Performance Issues:
- Report technical issues to [email protected]
- Response time: Best effort during business hours
- Service credits not provided except as required by law
- Alternative dispute resolution available for EU consumers

PART III: ACCEPTABLE USE AND SERVICE RULES



§ 9. Permitted and Prohibited Use


(EU Charter of Fundamental Rights Art. 16, US CFAA 18 USC §1030, OWASP Guidelines)

9.1. Permitted Uses:
a) Educational Activities: Programming learning, system administration training

b) Personal Projects: Non-commercial websites, development environments

c) Business Applications: Commercial websites, applications, services

d) Research and Development: Academic research, software testing

e) Content Hosting: Legal content subject to applicable laws

9.2. Resource Usage Guidelines:
- Fair Use: Consistent with purchased plan specifications
- CPU Intensive Tasks: Batch processing allowed during off-peak hours
- Storage: No content limits beyond allocated space
- Bandwidth: Subject to plan limits and network policies

9.3. Prohibited Services (specifically restricted):
a) Gaming Infrastructure: Game servers, virtual game economies

b) Real-time Communication: Voice servers (TeamSpeak, Discord bots)

c) Cryptocurrency Operations: Mining, trading platforms, wallets

d) High-Load Computing: Distributed computing, data processing farms

e) File Sharing Networks: BitTorrent, P2P protocols, file hosting

f) Anonymization Services: TOR nodes, proxy networks, VPN exits

9.4. Prohibited Activities (compliance with international law):
a) Security Violations:
- Unauthorized access attempts (CFAA violation)
- Network scanning without explicit permission
- Penetration testing of third-party systems

b) Content Violations:
- Illegal content under EU, US, UK, or Polish law
- Adult content without proper age verification
- Copyrighted material without authorization
- Hate speech or incitement to violence

c) Communication Abuse:
- Spam, unsolicited marketing communications
- Phishing, social engineering attacks
- Malware distribution or hosting

d) Service Disruption:
- DDoS attacks or participating in botnets
- Interference with other clients' services
- Circumventing security measures

§ 10. Account Security and Client Responsibilities


(ISO/IEC 27001 standards, NIST Cybersecurity Framework)

10.1. Authentication Requirements:
- Strong Passwords: Minimum 12 characters, mixed character types
- SSH Key Management: RSA 2048-bit minimum, regular key rotation
- Two-Factor Authentication: Recommended for control panel access
- Access Logging: Client responsible for monitoring server access

10.2. Security Obligations:
a) System Maintenance: Regular security updates and patches

b) Vulnerability Management: Prompt remediation of identified issues

c) Access Control: Limiting user accounts to authorized personnel

d) Data Protection: Encryption of sensitive data at rest and in transit

10.3. Monitoring and Compliance:
- Automated Scanning: Provider conducts security vulnerability scans
- Compliance Verification: Random security audits may occur
- Notification Duty: Report security incidents to [email protected]
- Remediation Timeline: 72 hours to address critical vulnerabilities

10.4. Backup and Data Management:
- Client Responsibility: Data backup not provided by default
- Data Recovery: Provider not liable for data loss
- Export Rights: Full data export available upon request
- Data Retention: Client data deleted within 30 days of termination

§ 11. Service Level and Availability



11.1. Service Level Expectations:
- Target Uptime: 99% monthly availability (best effort, not guaranteed)
- Planned Maintenance: Maximum 4 hours monthly with 48-hour notice
- Network Performance: Best effort connectivity, no bandwidth guarantees
- Hardware Reliability: Enterprise-grade equipment with redundancy

11.2. Maintenance and Updates:
a) Scheduled Maintenance: Communicated via email when reasonably practicable

b) Emergency Maintenance: May occur without prior notice for security

c) System Updates: Infrastructure updates outside client control

d) Client Maintenance: VPS software updates remain client responsibility

11.3. Performance Monitoring:
- Resource Alerts: Notification when approaching plan limits
- Abuse Detection: Automated systems monitor for policy violations
- Performance Impact: Resource-intensive processes may be limited
- Escalation Procedures: Contact [email protected] for performance issues

11.4. Service Credits and Compensation:
- No SLA Guarantees: Service provided on best-effort basis
- Statutory Rights: Consumer rights under applicable law remain
- Force Majeure: No compensation for events beyond reasonable control
- Alternative Resolution: Mediation available for EU consumers

§ 12. Suspension and Termination Procedures


(Due process, proportionality, EU Charter Art. 47 - Right to fair trial)

12.1. Suspension Triggers:
a) Policy Violations: Material breach of acceptable use policies

b) Security Threats: Compromised accounts or malware detection

c) Legal Requirements: Court orders, law enforcement requests

d) Payment Issues: Non-payment beyond grace period (7 days)

e) Resource Abuse: Sustained violation of plan limits

12.2. Suspension Procedures:
- Notice Period: Reasonable advance notice except for security emergencies
- Investigation: Reasonable investigation before action
- Temporary Suspension: Limited access to allow remediation
- Client Response: Reasonable time to address identified issues

12.3. Appeal and Remediation Process:
a) First Warning: Email notification with specific violation details

b) Remediation Period: Reasonable time to correct non-security violations

c) Appeal Process: Contact [email protected] with supporting evidence

d) Independent Review: Internal review by different staff member

12.4. Termination Conditions:
- Immediate Termination: Illegal activity, security threats, repeat violations
- Standard Termination: Reasonable notice for policy violations
- Client Termination: 30 days notice required for contract termination
- Data Recovery: Reasonable grace period for data retrieval after termination

12.5. Termination Consequences:
- Service Access: Immediate revocation upon termination
- Data Deletion: Permanent removal after grace period
- Refund Policy: Pro-rated refunds for unused service periods (except violations)
- Outstanding Charges: Remain due and payable

PART IV: INTELLECTUAL PROPERTY AND CONTENT



§ 13. DMCA Compliance (United States)


(17 USC §512 - Digital Millennium Copyright Act)

13.1. Copyright Policy Statement:
- tinybox respects intellectual property rights of all parties
- We comply with DMCA safe harbor provisions under 17 USC §512(c)
- Repeat infringers will have their accounts terminated
- This policy applies to all content stored on our servers

13.2. Designated Copyright Agent:
DMCA Agent: Mateusz Chrobok PWND
Email: [email protected]
Subject Line: "DMCA Takedown Notice"
Postal Address: Staromiejska 6/10D, Poland

13.3. DMCA Takedown Notice Requirements:
All takedown notices must include:
a) Physical or electronic signature of copyright owner or authorized agent

b) Identification of copyrighted work claimed to be infringed

c) Identification of infringing material and its location on our servers

d) Contact information including address, phone, email of complainant

e) Good faith statement that use is not authorized by copyright owner

f) Accuracy statement under penalty of perjury that information is accurate

g) Authorization statement that complainant is authorized to act

13.4. DMCA Counter-Notification Process:
Clients may submit counter-notification containing:
a) Physical or electronic signature of subscriber

b) Identification of material removed and its former location

c) Good faith statement under penalty of perjury that material was removed by mistake

d) Consent to jurisdiction of Federal District Court

e) Complete contact information for service of process

13.5. Takedown and Restoration Timeline:
- Takedown: Within reasonable time of valid notice receipt
- Client Notification: Immediate notification of affected client
- Counter-Notice Period: 10-14 business days for client response
- Restoration: Within 10-14 business days if no court action filed

§ 14. Digital Services Act Compliance (European Union)


(EU Regulation 2022/2065 - Digital Services Act)

14.1. Illegal Content Reporting System:
- Reporting Channel: [email protected] with subject "DSA Report"
- 24/7 Availability: Electronic reporting system accessible continuously
- Response Timeline: Reasonable response time as required by DSA
- Languages: Reports accepted in English, Polish, and major EU languages

14.2. Content Moderation Transparency:
a) Decision Records: All content decisions documented with reasoning

b) Notification System: Affected users notified in reasonable time

c) Appeal Mechanism: Internal review process available

d) Transparency Reports: Annual publication of moderation statistics

14.3. Notice and Action Procedures:
Required Information for Reports:
- Clear identification of allegedly illegal content
- Location/URL of content on our infrastructure
- Legal basis for illegality claim
- Reporter contact information
- Electronic signature or equivalent authentication

14.4. Risk Assessment and Mitigation:
- Systemic Risk Evaluation: Annual assessment for illegal content risks
- Mitigation Measures: Proactive content scanning and user education
- External Audits: Independent compliance verification as required
- Crisis Response: Rapid response protocols for serious incidents

14.5. User Rights and Appeals:
a) Appeal Rights: Challenge content moderation decisions

b) Appeal Timeline: 30 days from decision notification

c) Review Process: Independent review by different staff member

d) External Dispute Resolution: Access to certified out-of-court settlement

§ 15. Content Moderation and Reporting



15.1. Content Standards:
- Legal Compliance: All content must comply with applicable laws
- Community Guidelines: Additional standards for acceptable content
- Cultural Sensitivity: Respect for diverse communities and viewpoints
- Platform Integrity: No content designed to abuse or manipulate services

15.2. Proactive Monitoring:
a) Automated Detection: Hash-based detection of known illegal content

b) Pattern Recognition: Behavioral analysis for suspicious activities

c) User Reports: Community-driven content flagging system

d) Random Audits: Periodic manual review of hosted content

15.3. Content Categories and Actions:

Immediately Removable (no warning):
- Child sexual abuse material (CSAM)
- Terrorist content and recruitment
- Non-consensual intimate images
- Doxxing and harassment campaigns
- Malware and phishing content

Subject to Warning (24-hour remediation period):
- Copyright infringement with valid notice
- Trademark violations
- Spam and unsolicited commercial content
- Misinformation with harmful potential

Educational Intervention (guidance provided):
- Minor policy violations
- Unclear content classification
- Technical compliance issues

15.4. Cross-Border Cooperation:
- Law Enforcement: Compliance with lawful requests per MLATs
- Industry Cooperation: Participation in content sharing databases
- Regulatory Coordination: Regular communication with EU/US authorities
- International Standards: Adherence to UN Guiding Principles on Business and Human Rights

15.5. Content Preservation:
- Evidence Preservation: Retain removed content for legal proceedings (180 days)
- Appeal Records: Maintain decision history for transparency
- Legal Hold: Extended retention per court order or investigation
- Data Minimization: Delete preserved content when no longer needed

15.6. Reporting and Statistics:
Monthly Internal Reports:
- Content removal statistics by category
- Appeal success rates and timelines
- False positive/negative analysis
- User satisfaction with appeals process

Annual Transparency Report:
- Government requests and compliance rates
- Copyright takedown statistics
- Content moderation effectiveness metrics
- Investment in trust and safety measures

PART V: DATA PROTECTION AND PRIVACY



§ 16. GDPR/RODO Compliance (European Union)


(EU Regulation 2016/679 - General Data Protection Regulation)

16.1. Data Controller Information:
- Controller: Mateusz Chrobok PWND
- Registration: VAT ID PL 9542501714
- Address: Staromiejska 6/10D, Poland
- Contact: [email protected]
- DPO Contact: [email protected] (Data Protection Officer inquiries)

16.2. Categories of Personal Data Processed:

a) Account Data: Name, email address, billing address, phone number

b) Technical Data: IP addresses, SSH keys, server access logs

c) Payment Data: Processed by authorized payment processors:
- TPAY (Krajowy Integrator Płatności S.A.) - Poland, EU
- Stripe Payments Europe, Ltd. - Global processing
- PayPo Sp. z o.o. - Buy now, pay later (Poland)

d) Communication Data: Support tickets, email correspondence

e) Usage Data: Service usage statistics, performance metrics

16.3. Legal Bases for Processing (GDPR Article 6):
- Contract Performance (Art. 6(1)(b)): Service delivery, billing, support
- Legal Obligation (Art. 6(1)(c)): Tax records, telecommunications data retention
- Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention
- Consent (Art. 6(1)(a)): Marketing communications, analytics cookies

16.4. Data Retention Periods:
- Account Data: Duration of contract + 3 years (legal claims limitation)
- Technical Logs: 12 months (telecommunications law requirement)
- Payment Records: 10 years (tax law requirement)
- Support Communications: 3 years (service quality and legal claims)
- Marketing Data: Until consent withdrawal or 2 years of inactivity

16.5. Data Subject Rights (GDPR Articles 15-22):
Right of Access (Art. 15):
- Request copy of personal data
- Information about processing purposes
- Contact: [email protected]
- Response time: 30 days

Right to Rectification (Art. 16):
- Correct inaccurate personal data
- Complete incomplete data
- Via account dashboard or email request

Right to Erasure (Art. 17):
- Delete personal data when no longer necessary
- Withdraw consent for marketing
- Note: Some data retention required by law

Right to Restrict Processing (Art. 18):
- Limit processing pending verification
- Object to processing based on legitimate interest
- Maintain data but restrict use

Right to Data Portability (Art. 20):
- Receive data in structured, machine-readable format
- Transmit data to another controller
- Available for contract and consent-based processing

Right to Object (Art. 21):
- Object to legitimate interest processing
- Opt-out of direct marketing
- Right to human review of automated decisions

16.6. International Data Transfers:
- Primary Processing: EU/EEA (Poland-based servers)
- Payment Processing: EU (TPAY in Poland)
- Third-Country Transfers: Only with adequate protection:
- EU Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Specific consent for non-adequate countries

16.7. Data Protection Impact Assessment:
- Regular DPIA for high-risk processing
- Automated security monitoring systems
- Large-scale systematic monitoring
- Results available upon request to supervisory authority

§ 17. UK-GDPR Compliance (United Kingdom)


(Data Protection Act 2018, UK GDPR)

17.1. UK Representative (if applicable):
- For UK data subjects: Mateusz Chrobok PWND acts as controller
- UK-specific complaints: [email protected]
- ICO Registration: As required by UK law

17.2. UK-Specific Rights:
- All GDPR rights apply equivalently under UK law
- Supervisory Authority: Information Commissioner's Office (ICO)
- Complaint Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Online Complaints: Available via ICO website

17.3. Brexit Compliance:
- Separate legal basis for UK personal data processing
- UK adequacy decision for EU transfers (if maintained)
- Standard Contractual Clauses for EU-UK transfers if needed

§ 18. CCPA/CPRA Compliance (California, United States)


(California Consumer Privacy Act as amended by CPRA)

18.1. California Consumer Rights:
Right to Know (CCPA §1798.110):
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Categories of third parties receiving information

Right to Delete (CCPA §1798.105):
- Request deletion of personal information
- Exceptions for legal obligations and legitimate business needs
- Response within 45 days (extendable to 90 days)

Right to Opt-Out (CCPA §1798.120):
- Opt-out of sale of personal information
- Note: tinybox does not sell personal information
- Opt-out of targeted advertising (CPRA)

Right to Correct (CPRA §1798.106):
- Correct inaccurate personal information
- Available via account settings or email request

Right to Limit (CPRA §1798.121):
- Limit use of sensitive personal information
- Applies to SSN, financial data, precise geolocation

18.2. CCPA Disclosure Requirements:
Personal Information Categories Collected:
- Identifiers (name, email, IP address)
- Commercial information (service usage, billing)
- Internet activity (server logs, access patterns)
- Geolocation data (approximate location from IP)

Business Purposes for Collection:
- Service provision and customer support
- Security and fraud prevention
- Legal compliance and record keeping
- Service improvement and analytics
- User experience optimization through behavior analysis

18.3. California Consumer Request Process:
- Request Methods: Email to [email protected] or online form
- Verification: Two-factor authentication via account email
- Response Time: 45 days (extendable to 90 days with notice)
- No Fee: Requests fulfilled without charge
- Authorized Agents: Accepted with proper documentation

§ 19. Cookies and Tracking Technologies


(EU ePrivacy Directive 2002/58/EC, UK PECR, Various State Laws)

19.1. Cookie Categories and Legal Basis:
Strictly Necessary Cookies (no consent required):
- Session management and authentication
- Security and fraud prevention
- Service delivery functionality
- Load balancing and performance

Functional Cookies (consent required):
- User preferences and settings
- Language and region selection
- Enhanced user experience features

Analytics Cookies (consent required):
- Google Analytics: Website usage statistics
- Hotjar: User behavior analysis, session recordings, heatmaps
- Server Analytics: Performance monitoring
- Anonymization: IP address anonymization enabled

Marketing Cookies (consent required):
- Facebook Pixel: Conversion tracking
- Remarketing: Targeted advertising
- Third-party tracking: Social media integration

19.2. Consent Management:
- Cookie Banner: Appears on first visit
- Granular Consent: Category-specific opt-in/opt-out
- Consent Records: Timestamped consent decisions stored
- Withdrawal: Easy opt-out via cookie settings
- Refresh: Annual consent refresh for marketing cookies

19.3. Third-Party Services:
Google Analytics:
- Purpose: Website traffic analysis
- Data Retention: 26 months maximum
- IP Anonymization: Enabled
- Opt-out: Available via browser settings

Hotjar:
- Purpose: User experience analysis and session recordings
- Data Retention: 365 days maximum
- IP Anonymization: Enabled
- Opt-out: Available via cookie consent settings

Facebook Pixel:
- Purpose: Conversion tracking and remarketing
- Data Sharing: Limited to conversion events
- Opt-out: Available via Facebook Ad Preferences

§ 20. International Data Transfers


(GDPR Chapter V, UK Data Protection Act 2018, Various Privacy Laws)

20.1. Transfer Mechanisms:
EU Commission Adequacy Decisions:
- UK (if maintained post-Brexit)
- Switzerland, Canada, Japan, South Korea
- Other jurisdictions as recognized

Standard Contractual Clauses (SCCs):
- EU Commission SCCs (2021/914)
- UK International Data Transfer Agreement (IDTA)
- Additional safeguards as required

Compliance Standards:
- ISO 27001 compliance
- Industry-specific privacy standards adherence
- Binding corporate rules (if applicable)

20.2. Transfer Impact Assessment:
- Legal framework evaluation in destination country
- Practical access by government authorities
- Additional technical and organizational measures
- Regular monitoring and review

20.3. Specific Transfer Scenarios:
Payment Processing:
- TPAY (Poland) - adequate protection within EU/EEA
- Stripe (Ireland) - adequate protection within EU/EEA, global with SCCs
- PayPo (Poland) - adequate protection within EU/EEA

Technical Support: EU-based staff only
Legal Compliance: Information may be shared with authorities per legal requirements
Business Continuity: Backup services within EU/EEA only

20.4. Data Subject Notifications:
- Specific information about international transfers
- Safeguards in place for protection
- Right to obtain copy of safeguards
- Contact information for complaints about transfers

PART VI: LIABILITY, DISPUTES AND GOVERNANCE



§ 21. Limitation of Liability


(EU Product Liability Directive, Unfair Contract Terms Directive, Consumer Rights)

21.1. Scope of Liability Limitations:
These limitations apply only to the maximum extent permitted by applicable law and do not affect:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Statutory consumer rights that cannot be excluded
- Data protection violations under GDPR
- Intentional misconduct or gross negligence

21.2. Service-Related Liability:
a) Service Availability: No guarantee of uninterrupted service

b) Data Loss: Provider not liable for client data loss except where caused by gross negligence

c) Third-Party Actions: Not liable for actions of other clients or external parties

d) Force Majeure: No liability for events beyond reasonable control

e) Security Breaches: Liability limited to notification obligations and remedial measures

21.3. Financial Limitations (Business Clients Only):
- Maximum Liability: Limited to fees paid in 12 months preceding claim
- Indirect Damages: No liability for lost profits, business interruption, data corruption
- Consequential Damages: Excluded except where prohibited by law
- Multiple Claims: Aggregate liability cap applies to related claims

21.4. Consumer Protection Compliance:
EU/UK Consumers: All statutory rights preserved including:
- Right to conforming services under Consumer Rights Directive
- Remedies for defective digital content
- Unfair contract terms protection

US Consumers: State consumer protection laws remain applicable:
- Warranty disclaimers subject to state law limitations
- Unconscionable contract terms may be unenforceable
- Class action rights preserved where applicable

§ 22. Force Majeure and Service Interruptions



22.1. Force Majeure Events:
Events beyond reasonable control including:
- Natural disasters, extreme weather, geological events
- War, terrorism, civil unrest, government actions
- Cyber attacks, infrastructure failures, internet outages
- Pandemic, epidemic, public health emergencies
- Labor disputes, supplier failures, regulatory changes

22.2. Force Majeure Procedures:

a) Notice: Prompt notification to affected clients via email

b) Mitigation: Reasonable efforts to minimize impact and duration

c) Alternative Solutions: Temporary workarounds where possible

d) Regular Updates: Status updates as reasonably practicable during major events

e) Documentation: Maintenance of records for insurance and legal purposes

22.3. Service Level Adjustments:
- Planned Maintenance: Maximum 4 hours monthly with 48-hour advance notice
- Emergency Maintenance: Immediate action for security or stability
- Capacity Management: Temporary resource limitations during high demand
- Network Issues: Best effort restoration with priority for critical systems

22.4. Client Remedies During Interruptions:
- Communication: Regular status updates via email and website
- Technical Support: Priority assistance for service restoration
- Service Credits: Pro-rated credits for extended outages (>24 hours)
- Alternative Access: Backup access methods where technically feasible

§ 23. Governing Law and Jurisdiction



23.1. Governing Law Selection:
Primary Governing Law: Polish law (Republic of Poland)
Consumer Protections:
- EU consumers retain protection of their country of residence
- UK consumers retain UK Consumer Rights Act protections
- US consumers retain applicable state and federal protections
- International consumer protection treaties apply where applicable

23.2. Jurisdiction and Venue:
Business Disputes:
- Primary jurisdiction: Courts of Poland
- Alternative: Courts of defendant's domicile (Brussels Regulation)

Consumer Disputes:
- Consumer may sue in their country of residence
- Provider may only sue consumer in consumer's country of residence
- Small claims courts available for qualifying disputes

23.3. International Arbitration (Business Clients):
- UNCITRAL Rules: Alternative to court proceedings
- Seat of Arbitration: Warsaw, Poland or mutually agreed location
- Language: English or Polish as agreed by parties
- Appeal Rights: Limited as per arbitration rules

§ 24. Dispute Resolution (including ODR for EU consumers)


(EU ODR Regulation 524/2013, Consumer ADR Directive 2013/11/EU)

24.1. Internal Complaint Procedures:
First Level - Customer Service:
- Contact: [email protected] for technical issues
- Contact: [email protected] for billing/administrative issues
- Response time: Best effort acknowledgment and resolution
- Escalation: Supervisor review available upon request

Second Level - Management Review:
- Escalation for unresolved complaints after 14 days
- Independent review by senior management
- Written response within reasonable time
- Final internal decision with reasoning provided

24.2. Alternative Dispute Resolution (ADR):
EU Consumer Disputes:
- EU ODR Platform: Available at https://ec.europa.eu/consumers/odr/
- Certified ADR Entities: List available on EU ODR platform
- No Obligation: Participation voluntary but encouraged
- Outcomes: May result in binding or non-binding resolution

UK Consumer Disputes:
- ADR Entity: As required by UK consumer protection laws
- Ombudsman Services: Available for eligible disputes
- Cost: Free to consumers, provider covers ADR fees

US Consumer Disputes:
- State-Specific ADR: Available per state consumer protection laws
- Industry Arbitration: American Arbitration Association programs
- Class Action Rights: Preserved unless specifically waived

24.3. Mediation Services:
- International Mediation: Available for cross-border disputes
- Language Support: English, Polish, major EU languages
- Duration: Typically 30-90 days for resolution
- Costs: Shared between parties unless otherwise agreed

24.4. Emergency Procedures:
For urgent matters requiring immediate attention:
- Security Issues: [email protected] marked "URGENT SECURITY"
- Legal Process: Compliance with court orders and law enforcement
- Data Breach: Immediate notification per GDPR Article 33/34
- 24/7 Contact: Emergency contact information provided to active clients

§ 25. Amendment Procedures



25.1. Amendment Authorization:
- Authority: Only authorized representatives may amend these terms
- Documentation: All amendments documented with effective dates
- Legal Review: Changes subject to legal compliance verification
- Stakeholder Consultation: Material changes may involve user feedback

25.2. Notice Requirements:
Standard Amendments:
- Advance Notice: 30 days via email to registered address
- Website Publication: Posted prominently on service website
- Clear Identification: Changes highlighted in notice
- Effective Date: Clearly specified future date

Material Changes (affecting core rights or obligations):
- Extended Notice: Reasonable advance notice (minimum 30 days)
- Detailed Explanation: Reasoning for changes provided
- Consumer Rights: May trigger new cooling-off period
- Opt-out Rights: Termination without penalty during notice period

25.3. Consumer Protection in Amendments:
EU/UK Consumers:
- Cannot reduce statutory rights through amendments
- Unfair terms subject to challenge regardless of notice
- Right to terminate without penalty for material adverse changes

US Consumers:
- State consumer protection laws remain applicable
- Unconscionable amendments may be unenforceable
- Class action waivers subject to state law validity

25.4. Acceptance and Rejection:
a) Deemed Acceptance: Continued use after effective date

b) Express Rejection: Written notice to [email protected]

c) Termination Right: Cancel service without penalty during notice period

d) Grandfathering: Existing rights preserved during transition period

25.5. Emergency Amendments:
Immediate Changes Permitted for:
- Legal compliance requirements (court orders, regulatory mandates)
- Security vulnerabilities requiring urgent response
- Service interruptions affecting user safety
- Force majeure events requiring operational changes

Post-Emergency Procedures:
- Retroactive notice within 48 hours
- Explanation of emergency justification
- Opportunity for feedback and objection
- Reversion to standard procedures when possible

PART VII: FINAL PROVISIONS



§ 26. Severability and Compliance Monitoring



26.1. Severability Clause:
- Invalid Provisions: If any provision is deemed invalid, unlawful, or unenforceable, it shall be severed
- Remaining Terms: All other provisions remain in full force and effect
- Replacement Terms: Invalid provisions replaced with valid terms achieving similar commercial effect
- Jurisdictional Variations: Different enforceability standards may apply per jurisdiction

26.2. Regulatory Compliance Monitoring:
Continuous Compliance Program:
- Legal Updates: Quarterly review of applicable laws and regulations
- Policy Updates: Annual comprehensive review of all terms and policies
- Training: Regular staff training on privacy and consumer protection requirements
- Audit: Annual third-party compliance audit for GDPR and industry standards

Compliance Reporting:
- Internal Reports: Monthly compliance status reports to management
- External Reports: Annual transparency reports published online
- Regulatory Filings: Timely submissions to data protection authorities
- Incident Reports: Immediate notification of compliance breaches

26.3. Industry Standards Adherence:
- ISO/IEC 27001: Information security management system standards followed
- OWASP Guidelines: Web application security best practices implemented
- NIST Framework: Cybersecurity framework alignment for infrastructure protection
- Industry Codes: Participation in relevant hosting industry self-regulation

§ 27. Contact Information and Designated Agents



27.1. Primary Business Contact:
Company: Mateusz Chrobok PWND
Address: Staromiejska 6/10D, Poland
VAT ID: PL 9542501714
General Inquiries: [email protected]
Business Hours: Monday-Friday, 9:00-17:00 CET

27.2. Specialized Contact Points:
Technical Support:
- Email: [email protected]
- Response Time: Best effort acknowledgment and resolution
- Emergency Issues: Mark subject line "URGENT" for critical problems
- Languages: English, Polish

Data Protection Officer:
- Email: [email protected] (Subject: "Data Protection Inquiry")
- Responsibilities: GDPR compliance, privacy complaints, data subject requests
- Response Time: As required by GDPR (30 days, extendable to 90 days)

Legal and Compliance:
- Email: [email protected] (Subject: "Legal Matter")
- Court Service: Accepted at registered business address
- Law Enforcement: Compliance with lawful requests per applicable law

27.3. Designated Agents for Legal Compliance:
DMCA Copyright Agent (US Law):
- Name: Mateusz Chrobok PWND
- Email: [email protected]
- Subject Line: "DMCA Takedown Notice"
- Address: Staromiejska 6/10D, Poland

DSA Representative (EU Law):
- Point of Contact: [email protected]
- Subject Line: "DSA Compliance Matter"
- Languages: English, Polish, German, French
- Response Time: As required by DSA (reasonable time)

Consumer ADR Contact (EU/UK):
- ODR Platform: Registered with EU Online Dispute Resolution
- UK ADR Entity: As required by UK consumer protection laws
- Contact: [email protected] (Subject: "Consumer Dispute")

27.4. International Service of Process:
- Hague Convention: Compliance with international service requirements
- EU Service Regulation: Accepted per Brussels Regulation procedures
- Authorized Recipients: Service accepted at registered business address
- Language Requirements: Translation provided for non-English/Polish documents

§ 28. Effective Date and Transition Provisions



28.1. Document Effective Date:
- Version: 2.0
- Effective Date: July 13, 2025
- Previous Version: Supersedes all prior terms of service
- Transition Period: 30 days for existing clients to review changes

28.2. Grandfathering Provisions:
Existing Contracts:
- Current Clients: These terms apply to all services from effective date
- Pricing Protection: Existing pricing honored until next renewal
- Service Levels: No reduction in current service specifications
- Contract Terms: Minimum remaining contract period respected

Legacy Features:
- Deprecated Services: 90-day notice before discontinuation
- Migration Assistance: Free migration to equivalent current services
- Data Export: Full data export assistance during transition

28.3. Implementation Timeline:
Immediate Effect (July 13, 2025):
- Data protection rights and procedures
- Consumer protection enhancements
- Complaint and dispute resolution mechanisms
- Content moderation and reporting systems

30-Day Implementation (August 12, 2025):
- Updated technical security measures
- Enhanced monitoring and compliance systems
- Staff training completion on new procedures

90-Day Full Compliance (October 11, 2025):
- Complete audit of all systems for new requirements
- Third-party compliance verification
- Full implementation of all enhanced consumer protections




ANNEXES



Annex A: GDPR Data Processing Information



Data Controller: Mateusz Chrobok PWND, VAT ID PL 9542501714
Contact: [email protected]
DPO Contact: [email protected]

Processing Activities Summary:
| Purpose | Legal Basis | Data Categories | Retention Period |
|---------|-------------|-----------------|------------------|
| Service Delivery | Contract (Art. 6(1)(b)) | Account, Technical | Contract + 3 years |
| Billing & Payment | Contract (Art. 6(1)(b)) | Payment, Billing | 10 years (tax law) |
| Technical Support | Contract (Art. 6(1)(b)) | Technical, Communication | 3 years |
| Security Monitoring | Legitimate Interest (Art. 6(1)(f)) | Technical, Usage | 12 months |
| Marketing | Consent (Art. 6(1)(a)) | Contact, Preferences | Until withdrawal |
| Legal Compliance | Legal Obligation (Art. 6(1)(c)) | All relevant | Per legal requirement |

Payment Processors (Data Processors under GDPR Article 28):
- TPAY (Krajowy Integrator Płatności S.A.) - Poland, EU/EEA
- Stripe (Stripe Payments Europe, Ltd.) - Ireland, Global with SCCs
- PayPo (PayPo Sp. z o.o.) - Poland, EU/EEA

Annex B: Consumer Rights Summary



EU Consumer Rights:
- 14-day withdrawal right (Consumer Rights Directive)
- Right to conforming digital services
- Unfair contract terms protection
- Alternative dispute resolution access
- Data protection rights under GDPR

UK Consumer Rights:
- Consumer Rights Act 2015 protections
- Distance selling regulations
- UK-GDPR data protection rights
- Access to ombudsman services

US Consumer Rights (varies by state):
- CCPA rights for California residents
- State consumer protection laws
- Federal trade commission oversight
- Class action rights preservation



Effective Date: July 13, 2025
Last Updated: July 13, 2025

For questions about these terms, contact us at [email protected]

Back to Home